From unknown Thu Mar 28 19:13:55 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#1597: Possible security vulnerability: x2goclient crashes calling ssh-keygen due to unsanitized arguments Reply-To: "Peter O'Regan" , 1597@bugs.x2go.org Resent-From: "Peter O'Regan" Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Tue, 31 Jan 2023 19:25:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 1597 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.167519283917318 (code B); Tue, 31 Jan 2023 19:25:02 +0000 Received: (at submit) by bugs.x2go.org; 31 Jan 2023 19:20:39 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.7 required=3.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 06A5D5DAED for ; Tue, 31 Jan 2023 20:20:35 +0100 (CET) Received: by mail-pg1-x52f.google.com with SMTP id g68so10786014pgc.11 for ; Tue, 31 Jan 2023 11:20:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=IMxZmDY0GmLxRFa+OaRJPJZaVfZG7h93gJd9zamAcRY=; b=itM5AMIyWRwBiCmTp1YcO2SFmV1y649ljBcbLCKIYZlCLKAv31QPuYg/wiIxvlNLb2 BAx1G3Q3SlcXO7N9Bjsb/P3PWPNGYcV5nw/QXPgxWD5asSvdZKr+xxncTbW7aXcmeEcw /yU1ZF1jhQamsSN1YM7jCN2g6pJSgSo2GMFoR3weaOymGk1eV518qaumknhKYLRX569c H8O3xnaXw37cUcBwCcqvh45IEvcXqWYIaIpyI2JGeIUKFPNGVOkIeAIuxOtokVLQC9uC pXNz6lbhFFSHO5Rr3JuquMnSVgY8JnCHKflnJbqnh9aDl4GIe3r1n316D/ux2HxXP77L QItA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=IMxZmDY0GmLxRFa+OaRJPJZaVfZG7h93gJd9zamAcRY=; b=rGupx0Ny9UYhB+1eK9DoOKwPIzbzKxI4VsyoQiGq9nJs+7zQB8opySERo/Uw6A/DYe pMJoZjYYoqfMtkxiYLXRDBTtqwYvNrjFlQLkD60jFZ6J4l3QfCkxqPwPFIqmXwF8p2rM k/d9x++YOrP/ZTt3VGl4WtaRug7PLoBQuKOwmRCjFELl6niygBKdghZMQAFa8p5b5i7E /7bY0wJpOYK6hCM8M0D1FTZv5YsDa1BUASzorcMUpo1RGm0bybLLHAQQ+7iQZW09aD/i ZOyrjoyN29QYiHDKim8ujihMNu+CeS2+4ePjPgxNAacUL//YqKk+kfnZVL5fMS8mmcgI gLyw== X-Gm-Message-State: AO0yUKVpvBIS31IpsjkmaNBof42rIfi81BRISZvY5Kj12tLGtMcfOUTC vXtOIQhSfVPwz/u33Yhc1eWeYiBvNigfr0zkKyAEsUZS X-Google-Smtp-Source: AK7set+TZXdoj4L4k6OhG1riDqB0i0n6Wv9YZKyrpnD1reS3FBpc6KU2xb+1yjuj1yIc0dufx0L68gcSrfJ6Y7Gj+1o= X-Received: by 2002:aa7:98c7:0:b0:593:9891:f86a with SMTP id e7-20020aa798c7000000b005939891f86amr2177297pfm.53.1675192832147; Tue, 31 Jan 2023 11:20:32 -0800 (PST) MIME-Version: 1.0 From: "Peter O'Regan" Date: Tue, 31 Jan 2023 14:20:21 -0500 Message-ID: To: submit@bugs.x2go.org Content-Type: multipart/alternative; boundary="000000000000b0cdef05f3943947" --000000000000b0cdef05f3943947 Content-Type: text/plain; charset="UTF-8" Package: x2goclient Version: 4.1.2.2-2020.02.13 x2goclient assumes the path to its application data directory does not have any spaces or single-quotes, but these are legal path directories for users on Windows systems. As a result, if the path to the x2go directory contains spaces or apostrophes (C:/Users/O'Regan, for instance), the call will fail. I have experienced this error and can reproduce the failure behavior by calling ssh-keygen from the terminal. The fix, I think, is to add double quotes to open and close the "private_key_file" string sent to ssh-keygen on onmainwindow.cpp, line 11353, or to apply a dedicated sanitization function. Testing in the terminal: ssh-keygen -f C:\Users\O'Regan\.x2go\etc\mykeyfile will fail. ssh-keygen -f "C:\Users\O'Regan\.x2go\etc\mykeyfile" will succeed. There may be other places/program calls that also need sanitizing. This is also potentially security issue since it lets the program caller influence what arguments are sent to generate an SSH key by altering the "HOME" environment variable queried by qt in line 185 from QDir::homePath(). (I'm not sure how easy it is to change this or related environment variables mid-session, but I imagine it might be possible). The path appears as the final argument to ssh-keygen, so it will also overrule the preceding arguments. For instance, I could reduce the bit count for the key or key type to make the credential easier to brute-force. I am using Windows 11. Thank you, Peter --000000000000b0cdef05f3943947 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Package: x2goclient
Versi= on: 4.1.2.2-2020.02.13

x2goclient assumes the path= to its application data directory does not have any spaces or single-quote= s, but these are legal path directories for users on Windows systems. As a = result, if the path to the x2go directory contains spaces or apostrophes (C= :/Users/O'Regan, for instance), the call will fail. I have experienced = this error and can reproduce the failure behavior by calling ssh-keygen fro= m the terminal.

The fix, I think, is to add double quotes to open and close the=20 "private_key_file" string sent to ssh-keygen on onmainwindow.cpp,= line 11353, or to apply a dedicated sanitization function.

Testing in the terminal:
ssh-keygen -f C:\Users\O'Regan\.x2go= \etc\mykeyfile will fail.
ssh-keygen -f "C:\Users\O'Regan\.x2go\etc\mykeyfile" will suc= ceed.

There may be other places/program call= s that also need sanitizing.

This is also pot= entially security issue since it lets the program caller influence what arg= uments are sent to generate an SSH key by altering the "HOME" env= ironment variable queried by qt in line 185 from QDir::homePath(). (I'm= not sure how easy it is to change this or related environment variables mi= d-session, but I imagine it might be possible). The path appears as the fin= al argument to ssh-keygen, so it will also overrule the preceding arguments= . For instance, I could reduce the bit count for the key or key type to mak= e the credential easier to brute-force.

I am u= sing Windows 11.

Thank you,
Peter
--000000000000b0cdef05f3943947--